Files

T

koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건)

이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-08 12:24:15 +09:00

6.1 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

SCA Fundamentals (Software Composition Analysis)

매 한 줄

"매 third-party (OSS) dependency 의 vuln/license/integrity scan — 매 modern app 의 80%+ 가 OSS 코드라는 현실 위의 baseline 통제". 매 Heartbleed (2014), Equifax/Struts (2017), Log4Shell (2021), xz-utils backdoor (2024) 가 매 SBOM + SCA 를 매 NIST/EU CRA/US EO 14028 의 의무 사항 으로 격상. 매 2026 supply chain 공격 시대의 first line of defense.

매 핵심

매 What SCA scans

Direct deps: package.json, requirements.txt, go.mod, Cargo.toml.
Transitive deps: full dependency tree (often 10x direct).
Container images: OS packages + app deps (Trivy, Grype).
License: GPL/AGPL/proprietary compliance.
Integrity: signature, provenance (Sigstore, SLSA).

매 Vulnerability sources

NVD/CVE: NIST National Vulnerability Database.
GitHub Advisory Database (GHSA): ecosystem-aware.
OSV.dev: Google distributed vuln DB.
Vendor advisories: Snyk DB, Mend, Sonatype OSS Index.
EPSS: Exploit Prediction Scoring System (probabilistic priority).

매 SBOM formats

SPDX: ISO/IEC 5962, Linux Foundation.
CycloneDX: OWASP, security-focused, VEX support.
VEX (Vulnerability Exploitability eXchange): "vulnerable but not exploitable in our config".

매 응용

PR-time scanning (Dependabot, Snyk PR check).
Container scan in CI (Trivy in GitHub Actions).
SBOM generation for compliance (EU CRA, US EO).
Runtime correlation (Sysdig, Wiz — used vs unused vulns).
License audit before release.

💻 패턴

npm audit + fix in CI

npm audit --audit-level=high --json > audit.json
# Auto-fix non-breaking
npm audit fix
# Force breaking fix only on dev branches
npm audit fix --force

Trivy container scan (GitHub Actions)

- name: Run Trivy
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'ghcr.io/org/app:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'
    ignore-unfixed: true
- uses: github/codeql-action/upload-sarif@v3
  with: { sarif_file: 'trivy.sarif' }

CycloneDX SBOM (Python)

pip install cyclonedx-bom
cyclonedx-py requirements -i requirements.txt -o sbom.json --format json
# Validate
cyclonedx validate --input-file sbom.json

Dependabot config (GitHub)

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule: { interval: "weekly" }
    open-pull-requests-limit: 10
    groups:
      minor-and-patch:
        update-types: ["minor", "patch"]
  - package-ecosystem: "docker"
    directory: "/"
    schedule: { interval: "daily" }

EPSS-based prioritization

import requests

def epss_score(cve_id):
    r = requests.get(f"https://api.first.org/data/v1/epss?cve={cve_id}").json()
    if r["data"]:
        return float(r["data"][0]["epss"]), float(r["data"][0]["percentile"])
    return None, None

# Prioritize: high CVSS AND high EPSS (likely exploited in wild)
for cve in scan_results:
    epss, pct = epss_score(cve.id)
    if cve.cvss >= 7.0 and epss and epss > 0.5:
        page_oncall(cve)

Sigstore cosign verification (provenance)

# Verify image was built by trusted GitHub Actions workflow
cosign verify ghcr.io/org/app:v1.2.3 \
  --certificate-identity "https://github.com/org/repo/.github/workflows/release.yml@refs/tags/v1.2.3" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

VEX statement (CycloneDX)

{
  "vulnerabilities": [{
    "id": "CVE-2024-XXXX",
    "ratings": [{"severity": "critical"}],
    "analysis": {
      "state": "not_affected",
      "justification": "code_not_reachable",
      "detail": "Vulnerable function in lib X is never called; entrypoint disabled."
    }
  }]
}

Grype with custom policy

grype dir:./app -o sarif --fail-on high \
  --only-fixed \
  --exclude './vendor/**'

매 결정 기준

상황	Approach
Open source project	Dependabot (free, GitHub-native)
Polyglot enterprise	Snyk / Mend / Sonatype Lifecycle
Container-heavy	Trivy / Grype + admission controller
Air-gapped	Self-hosted DB (Anchore Enterprise, Trivy with local DB)
Compliance (EU CRA, FedRAMP)	SBOM + VEX + signed attestations (SLSA L3+)

기본값: Trivy in CI + Dependabot for upgrades + CycloneDX SBOM + Sigstore signing.

🔗 Graph

부모: CI/CD Pipeline & IDE Security Integration · Application-Security
변형: SAST · 보안 및 시스템 신뢰성 표준
응용: SBOM
Adjacent: Supply-Chain-Security · SLSA · Sigstore

🤖 LLM 활용

언제: triaging vuln noise (false positive vs real), generating VEX justifications from code context, summarizing CVE for stakeholders, suggesting upgrade paths. 언제 X: as the source of truth for vuln data — use NVD/OSV/GHSA. LLM only for prioritization and explanation.

❌ 안티패턴

Scan once, ship: vulns appear post-release; need continuous monitoring.
Block on every CVE: dev fatigue → bypass culture; use EPSS + reachability.
No transitive scan: direct deps look clean while transitive has critical CVE.
SBOM but no VEX: dump 10k vulns on customers without exploitability context.
Ignore lockfiles: scan only manifest → miss pinned vulnerable transitive.

🧪 검증 / 중복

Verified (NIST SP 800-218 SSDF, CISA SBOM guidance, OWASP Dependency-Track).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — SCA, SBOM, EPSS, VEX, Sigstore patterns

6.1 KiB Raw Blame History